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AMENDMENTS TO THE CLAIMS 

Please amend the claims as follows. 

1. (Currently amended) A method of operating a directory server system , comprising a 
directory s e rv e r int e racting with e ntri es organiz e d in a tre e structur e , in which s aid entries 
comprise us e r entri e s and rol e e ntri e s, ones of s aid rol e entries d e fining a rol e , and having an 
as s ociat e d scope in th e tre e , th e scop e b e ing defin e d from th e location of said on e s of said 
rolo ontrioG in th e tr e e, according to a pred e fin e d rule, with th e rol e of an e xisting rolo entry 
b e ing attached to a us e r e ntry subj e ct to a first condition, which comprises a role memb e rship 
condition and the fact that the user ontr>^ belongs to th e scop e of th e e xisting rolo ontr)f% the 
m e thod comprising: 

a) associating an existing role entry in a tree structure with a first user entrv in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a predefined rule, said associating comprising attaching the 
role to the first user entry subject to a first condition comprising a role 
membership condition and the first user entry belonging to the associated scope: 

b) adding extra rol e data to th e e xisting role e ntry id e ntifying an e xtra scop e in the 
tr ee for th e e xisting rol e e ntrv adding an attribute to the existing role entry having 
a special attribute name and being associated with an attribute value defining an 
extra scope in the tree structure for the existing role entry, wherein the attribute 
value identifies a designated location in the tree structure outside the existing role 
entry's associated scope, and further wherein the extra scope is based on the 
designated location according to a second predefined rule: and 

[[b)]]c} attaching the role of the existing role entry to a second user entry subject 
to a second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 
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2. (Currently Amended) The method of claim 1, wherein the existing role entry is an indir e ct 
rol o e ntry d e aignating one or more oth e r rolos is a nested role entry defining at least one 
other role . 

3. (Currently Amended) The method of claim 2, wherein the existing [[indirect]] role entry has 
an attribute d e signating th e said on e or mor e oth e r rol e s defining the at least one other role . 

4. (Currently Amended) The method of claim 1, wherein the role membership condition 
comprises [[the]] a candidate user entry having an attribute designating the role [[in]] defined 
by the existing role entry. 

5. (Currently Amended) The method of claim 1, wherein the existing role entry has a role filter 
condition, and the role membership condition comprises one or more attributes of [[the]] a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Currently Amended) The method of claim [[8]] i, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Currently Amended) The method of claim 1, wherein the predefined rule comprises 
defining the existing role entry's associated scope [[of the existing role entry]] as a subtree of 
a parent of the existing role entry in the tree structure . 
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11. (Currently Amended) The method of claim 1, further comprising: 

[[c)]]d) responding to a request of whether a designated user entry has a given role 
by: 

[[cl)]]dl} [[determining]] identifying a corresponding role entry corresponding to 
the given role[[,]]; 

[[c2)]]d2) determining whether the designated user entry meets the first condition 
in relation to the corresponding role entrv; rr J1 

[[c3]]d3} if the designated user entry does not meet the first condition in relation 
to the corresponding role entry , determining whether the corresponding role 
entry has extra role data identifying an extra scope[[,]]; and[[,]] 

[[c4]]d4) if the d es ignated user e ntry does meet the first condition if the 
corresponding role entry has extra role data , determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entrv . 

12. (Currently Amended) The method of claim 1, further comprising: 

[[c)]]d} responding to a request for any user entries having a given role by: 

[[cl)]]dl} [[determining]] identifying a corresponding role entry corresponding to 
the given role[[,]]; 

[[c2)]]d2} scaiming the tree to [[determine]] identify any user entries meeting the 
first condition in relation to the corresponding role entrv: [[,]] and 

[[c3)]]d3} [[determining whether]] if the corresponding r ole entry [[corresponding 
to the given role]] has extra role data identifying an extra scope, [[and, if so,]] 
scaiming the tree to [[determine]] identify any user entries meeting the second 
condition in relation to the corresponding role entrv . 
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13. (Currently Amended) The method of claim 1, further comprising: 

[[c)]]d} responding to a request for roles of a given user entry by: 

[[cl)]]di} [[determining]] identifying a candidate role entry[[,]]; 

[[c2)]]d21 determining whether the given user entry meets the first condition [[for 
the determined]] in relation to the candidate role entry[[,]]; 

[[c3)]]d3) if the given user entry does not meet the first condition in relation to 
the candidate role entrvlT . determining whether]] and the [[determined]] 
candidate role entry has extra role data identifying an extra scope, [[and, if 
so,]] determining whether the given user entry meets the second condition 
[[for the determined]] in relation to the candidate role entry[[,]]; and 

[[c4)]]d4} repeating said [[cl)]] dl} through said [[c3)]] d3} with other candidate 
role entries until an end condition is met. 

14. (Currently Amended) The method of claim 13, wherein the end condition comprises having 
[[scanned]] performed said dl) through said d3) with substantially all the applicable [[roles]] 
candidate role entries . 

15. (Currently Amended) The method of claim 13, [[in which]] wherein the given user entry 
belongs to a subtree of a top suffix of the tree structure, [[wherein:]] said [[c2)]] d2} is 
performed for each role entry belonging to the subtree of said top suffix, and said [[c3)]] d3} 
is performed for each role entry belonging to any subtree of any top suffix of the tree 
structure , for each role b e longing to th e subtr ee of said top suffix . 
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16. (Currently Amended) A directory server system[[,]] comprising: 

a dir e ctory s e rv e r interacting with entri e s organized in a tr ee structur e , said e ntri e s 
comprising us e r e ntries and rol e entries, on e s of said rol e e ntri e s defining a rol e 
and having an associat e d scop e in th e troo structur e , th e scop e b e ing d e fined from 
the location of said on e s of said rol e s entri es in th e tr ee s tructur e , according to a 
predefin e d rul e , 

a directory server interacting with entries in a tree structure, said tree structure 
comprising an existing role entry and a first user entry, wherein the existing role 
entry defines a role and has an associated scope in the tree structure based on the 
existing role entry's location in the tree structure according to a predefined rule: 

a role mechanism capable of attaching [[a]] the existing role entry's role [[of an existing 
role entry]] to [[a]] the first user entry subject to a first condition[[, said first 
condition]] comprising a role membership condition and the first user entry 
belonging to the associated scope[[ of the existing role entry,]] : and 

said role mechanism [[being]] fiirther capable of det e rmining wh e th e r said existing role 
entry has extra data d e signating an extra scope, and, if so, of attaching [[a]] the 
existing rule entry's role [[of the existing rule entry]] to a second user entry 
subject to a second condition[[, which comprises]] comprising said role 
membership condition and the second user entry belonging to [[the]] an extra 
scope identified by extra role data of the existing role entry , wherein the extra 
role data comprise an added attribute having a special attribute name and being 
associated with an attribute value identifying a designated location in the tree 
structure outside of the existing role entry's associated scope, and the extra scope 
is based on the designated location according to a second predefined rule . 

17. (Currently Amended) The directory server system of claim 16, [[in which]] wherein the 
existing role entry i s an indir e ct rol e entr>^ d e signating one or mor e oth e r roles is a nested 
role entry defining at least one other role . 

18. (Currently Amended) The directory server system of claim 17, [[in which]] wherein the 
existing [[indirect]] role entry has an attribute designating the said one or mor e other rol e s 
defining the at least one other role . 
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19. (Currently Amended) The directory server system of claim 16, wherein the role membership 
condition comprises [[the]] a candidate user entry having an attribute designating the role 
[[in the]] defined by the existing role entry. 

20. (Currently Amended) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of [[the]] a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Currently Amended) The directory server system of claim [[23]] 16, wherein the extra scope 
is defined as a subtree of the designated location. 

25. (Currently Amended) The directory server system of claim 16, wherein the predefined rule 
comprises defining the existing role entry's associated scope [[of a role entry]] as a subtree 
of a parent of [[that]] the existing role entry in the tree structure . 

26. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
[[has a first function for]] is further capable of responding to a request of whether a 
designated user entry has a given role , said first function being capabl e of by: 

i) [[determining]] identifying a corresponding role entry corresponding to the 
given role[[,]]; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entrv [[,]]: 

iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry , determining whether the corresponding role entry 
has extra role data defining an extra scope[[,]]; and[[,]] 

iv) if the dosignat e d us e r e ntry do e s m e et the first condition if the corresponding 
role entry has extra role data , determining whether the designated user entry 
meets the second condition in relation to the corresponding role entry . 
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27. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
[[has a second function for]] is further capable of responding to a request for any user entries 
having a given role , said second function being capabl e of by: 

i) [[determining]] identifying a corresponding role entry corresponding to the given 
role[[,]]; 

ii) scanning the tree to [[determine]] identify any user entries meeting the first 
condition in relation to the corresponding role entry: [[.11 and 

iii) [[determining whether]] if the corresponding role entry [[corresponding to the 
given role]] has extra data identifying an extra scope, [[and, if so,]] scanning the 
tree to [[determine]] identify any user entries meeting the second condition in 
relation to the corresponding role entry . 

28. (Currently Amended) The directory server system [[as claimed]] of claim 16, wherein the 
role mechanism [[has a third function for]] is further capable of responding to a request for 
[[the]] roles of a given user entr y, said third function b e ing capabl e of by: 

i) [[determining]] identifying a candidate role entry[[,]]; 

ii) determining whether the given user entry meets the first condition [[for the 
determined]] in relation to the candidate role entry[[,]]; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entrv [[. determining whether]] and the determined role entry has extra data 

identifying an extra scope, [[and, if so,]] determining whether the given user entry 
meets the second condition [[for the determined]] in relation to the candidate role 
entry[[,]]i and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Currently Amended) The directory server system of claim 28, wherein the end condition 
comprises having [[scanned]] performed said i) through said iii) with substantially all the 
applicable [[roles]] candidate role entries . 



8 



Application No.: 10/613,660 



Docket No,: 03226/500001; P7528 



30. (Currently Amended) The directory server system of claim 28 , wherein [[in which]] the 
given user entry belongs to a subtree of a top suffix of the tree structure, [[wherein:]] said ii) 
is performed for each role entry belonging to the subtree of said top suffix, and said [[ii)]] iii} 
is performed for each role entry belonging to any subtree of any top suffix of the tree 
structure , for each role b e longing to th e s ubtr ee of said top suffix . 
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31. (Currently amended) A computer readable medium having stored thereon instructions for 
which wh e n oxooutod on a proc e ssor impl e m e nt a method of op e rating a dir e ctory s e rv e r 
syst e m, comprising a dir e ctory serv e r int e racting with e ntries organiz e d in a tr ee s tructur e , in 
which said e ntri e s comprise us e r e ntri e s and role entri e s, ones of said rol e e ntri e s d e fining a 
rol e , and having an associat e d scop e in th e tre e , th e scope being defin e d from th e location of 
said on e s of said role entries in th e tre e , according to a predefin e d rul e , with th e rol e of an 
e xisting rol e entry b e ing attach e d to a us e r entry s ubject to a first condition, which compris e s 
a rol e m e mb e rship condition and th e fact that the user entry b e longs to th e scope of the 
e xisting rol e entry, th e m e thod comprising : 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a predefined rule, said associating comprising attaching the 
role to the first user entry subject to a first condition comprising a role 
membership condition and the first user entry belonging to the associated scope: 

b) adding e xtra rol e data to th e e xisting role e ntry id e ntifying an e xtra scop e in the 
tre e for the e xisting rol e e ntry adding an attribute to the existing role entry having 
a special attribute name and being associated with an attribute value defining an 
extra scope in the tree structure for the existing role entry, wherein the attribute 
value identifies a designated location in the tree structure outside the existing role 
entry's associated scope, and further wherein the extra scope is based on the 
designated location according to a second predefined rule: and 

[[b)]]c} attaching the role of the existing role entry to a second user entry subject 
to a second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

32. (Currently Amended) The computer readable medium of claim 31, wherein the existing role 
entry is an indirect role entr^^ designating on e or mor e other roles is a nested role entry 
defining at least one other role . 
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33. (Currently Amended) The computer readable medium of claim 32, wherein the existing 
[[indirect]] role entry has an attribute d e signating th e said on e or mor e oth e r roles defining 
the at least one other role . 

34. (Currently Amended) The computer readable medium of claim 31, wherein the role 
membership condition comprises [[the]] a candidate user entry having an attribute 
designating the role [[in]] defined by the existing role entry. 

35. (Currently Amended) The computer readable medium of claim 31, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of [[the]] a candidate user entry meeting the role filter condition. 

36. (Original) The computer readable medium of claim 35, wherein the existing role entry has an 
attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

39. (Currently Amended) The computer readable medium of claim [[38]] 3i, wherein the extra 
scope is defined as a subtree of the designated location. 

40. (Currently Amended) The computer readable medium of claim 31, wherein the predefined 
rule comprises defining the existing role entrv^s associated scope [[of the existing role 
entry]] as a subtree of a parent of the existing role entry in the tree structure . 
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41. (Currently Amended) The computer readable medium of claim 31, [[wherein said method 
further comprises]] further comprising instructions for : 

[[c)]]d} responding to a request of whether a designated user entry has a given role 
by: 

[[cl)]]dl} [[determining]] identifying a conesponding role entry corresponding to 
the given role[[,]]i 

[[c2)]]d2} determining whether the designated user entry meets the first condition 
in relation to the corresponding role entrv: rrJ1 

[[c3]]d3} if the designated user entry does not meet the first condition in relation 
to the corresponding role entry , determining whether the corresponding role 
entry has extra role d ata identifying an extra scope[[,]]i and[[,]] 

[[c4]]d4} if the designated user entry doos moot the first condition if the 
corresponding role entry has extra role data, determining whether the 
designated u ser entry meets the second condition in relation to the 
corresponding role entry . 

42. (Currently Amended) The computer readable medium of claim 31, [[wherein said method 
further comprises]] further comprising instructions for : 

[[c)]]d) responding to a request for any user entries having a given role by: 

[[cl)]]dlj[ [[determining]] identifying a corresponding role entry corresponding to 
the given role[[,]]; 

[[c2)]]d2} scanning the tree to [[determine]] identify any user entries meeting the 
first condition in relation to the corresponding role entry: [[.]] and 

[[c3)]]d3) [[determining whether]] if the corresponding role entry [[corresponding 
to the given role]] has extra role data identifying an extra scope, [[and, if so,]] 
scanning the tree to [[determine]] identify any user entries meeting the second 
condition in relation to the corresponding role entry . 
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43. (Currently Amended) The computer readable medium of claim 31, [[wherein said method 
further comprises]] further comprising instructions for : 

[[c)]]d} responding to a request for roles of a given user entry by: 

[[cl)]]dl} [[determining]] identifying a candidate role entry[[,]]; 

[[c2)]]d2} determining whether the given user entry meets the first condition [[for 
the determined]] in relation to the candidate role entry [[,]]; 

[[c3)]]d3} if the given user entry does not meet the first condition in relation to 
the candidate role entrvr[ . determining whether]] and the [[determined]] 
candidate role entry has extra role data identifying an extra scope, [[and, if 
so,]] determining whether the given user entry meets the second condition 
[[for the determined]] in relation to the candidate role entry[[,]]; and 

[[c4)]]d4} repeating said [[cl)]] dl} through said [[c3)]] d3} with other candidate 
role entries until an end condition is met. 

44. (Currently Amended) The computer readable medium of claim 43, wherein the end condition 
comprises having [[scanned]] performed said dl) through said d3) with substantially all the 
applicable [[roles]] candidate role entries . 

45. (Currently Amended) The computer readable medium of claim 43, [[in which]] wherein the 
given user entry belongs to a subtree of a top suffix of the tree structure, [[wherein:]] said 
[[c2)]] d2) is performed for each role entry belonging to the subtree of said top suffix, and 
said [[c3)]] d3) is performed for each role entrv belonging to any subtree of anv top suffix of 
the tree structure , for e ach role belonging to tho subtr e e of said top suffix . 
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